Overview
- Palo Alto Networks confirms the spies accessed and exfiltrated data from victim email servers, including financial negotiations and military or police updates.
- The operation relied on tailored phishing and exploitation of known vulnerabilities across widely used enterprise software, with no evidence of zero-day use.
- Researchers identified the DiaoYu loader and a previously unknown Linux kernel rootkit called ShadowGuard that uses eBPF to hide processes and files.
- Confirmed victims include five national police or border agencies, three finance ministries, one parliament and national telecommunications companies, with some intrusions persisting for months.
- Unit 42 assesses a state-aligned actor operating on GMT+8 whose campaigns aligned with geopolitical events and conducted late-2025 reconnaissance against infrastructure tied to 155 governments.